TL;DR: New S/MIME baseline requirements, a proposed 90-day SSL/TLS certificate validity model, and Mozilla’s plan to distrust older root certificates are pushing PKI teams toward faster renewal and stronger validation, according to GlobalSign. Manual spreadsheets and ad hoc tracking are increasingly mismatched to certificate lifecycle pressure, especially where identity assurance and trust chains affect email and web security.
At a glance
What this is: The article says PKI is moving toward shorter certificate lifetimes, stricter S/MIME validation, and older root distrust, making manual certificate management harder to sustain.
Why it matters: This matters to IAM and security teams because certificate lifecycle failures now affect identity assurance, trust continuity, and operational resilience across human and machine authentication paths.
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read GlobalSign's analysis of PKI policy changes and certificate lifecycle pressure
Context
PKI is a trust and governance problem, not just a cryptography problem. When certificate lifetimes shorten and root stores tighten policy, organisations that still track issuance and renewal manually create avoidable failure points for email, application, and service trust. The primary keyword here is PKI, but the operational issue is certificate lifecycle control.
The identity angle is real because certificates are authenticators. S/MIME validates both mailbox control and message integrity, while SSL/TLS certificates underpin trust in websites, services, and some machine-to-machine communications. Teams that treat certificate inventory as an administrative task rather than an identity control will struggle most as policies become less forgiving.
Key questions
Q: What breaks when certificate lifetimes become too short for manual tracking?
A: Manual tracking breaks first, then ownership, then renewal timing. When certificates move from years to months, spreadsheets and ad hoc reminders miss dependencies, especially in legacy, cloud, and inherited environments. The practical failure is not cryptographic weakness but lifecycle blindness, where valid services go dark because no one can reliably see or renew the certificate in time.
Q: Why do certificates need stronger identity validation for email security?
A: Certificates only deliver assurance if the issuer can prove who controls the mailbox or organisation represented in the certificate. Stronger identity validation reduces impersonation risk, strengthens non-repudiation, and makes signed email meaningful as an assurance control rather than a formatting feature. The validation step is part of identity governance, not just PKI administration.
Q: How should security teams measure whether certificate governance is actually working?
A: Use operational signals, not policy statements. Track certificate expiry outages, provisioning and revocation latency, support ticket volume, and whether teams can identify all cryptographic assets in use. If a trust programme looks compliant on paper but still produces outages, workarounds or blind spots, governance is not working as intended.
Q: Who is accountable when certificate policy changes disrupt communications?
A: Accountability sits with the teams that own certificate inventory, identity assurance, and service continuity, usually across infrastructure, IAM, and security operations. If policy changes are going to break email or web trust, someone must own the root inventory, renewal process, and exception handling before disruption occurs.
Technical breakdown
How shorter certificate lifetimes change PKI operations
A 90-day certificate model compresses the operational window in which issuance, deployment, validation, and revocation must all work correctly. That increases the importance of automation because the failure mode is no longer rare expiry, it is repeated renewal at scale. Shorter lifetimes reduce the value of long-lived compromise, but only if renewal, revocation, and monitoring are reliable. Manual tracking creates a control gap between policy intent and certificate reality.
Practical implication: automate renewal and discovery workflows before short-lived certificates become the default operating model.
Why S/MIME validation is becoming stricter
S/MIME is a certificate-based email security protocol that combines digital signatures and encryption to protect message integrity and confidentiality. The new baseline requirements described by GlobalSign raise the bar for validating mailbox ownership, organisational control, sponsor relationships, and individual identity. That matters because email trust is only as strong as the validation behind the certificate, and weak validation undermines both sender assurance and non-repudiation.
Practical implication: align certificate issuance checks with the identity proofing standard used for the certificate class, not with a generic onboarding process.
What root distrust means for trust-chain governance
When browser vendors distrust older roots, they are effectively removing trust from certificate hierarchies that no longer match current policy expectations. This is a governance event as much as a technical one, because root age, policy alignment, and chain hygiene all become measurable exposure points. Organisations that cannot inventory where certificates chain back to old roots will face hidden breakage across mail, web, and internal trust relationships.
Practical implication: map certificate chains to root policy age and remediate legacy hierarchies before browser distrust causes service disruption.
Threat narrative
Attacker objective: The objective is to exploit weak certificate governance to preserve trust in credentials or disrupt secure communications before controls catch up.
- Entry begins with stale or overlong certificate trust, which allows legacy roots or unmanaged certificates to remain accepted longer than policy intended.
- Escalation occurs when outdated certificate chains or missed renewals create blind spots in validation, making trust decisions less reliable across email and web channels.
- Impact is certificate trust failure, service disruption, or weakened assurance in message authenticity and secure communications.
NHI Mgmt Group analysis
Certificate lifecycle control is now a governance issue, not an admin task. The article shows that policy shifts in PKI are tightening the margin for manual operations. When issuance, renewal, and trust-chain maintenance are still spreadsheet-driven, the problem is not just inefficiency, it is an identity assurance gap. Practitioners should treat certificate lifecycle as part of access governance, especially where certificates authenticate users, services, or email.
Shorter validity periods expose the hidden cost of unmanaged trust chains. A 90-day certificate model does not create trust by itself. It only works when inventory, renewal, and revocation are continuous and accurate, which is why certificate sprawl becomes more dangerous as certificate lifetimes shrink. Practitioners should measure how much of their trust fabric still depends on legacy roots or manually tracked renewals.
Identity proofing for S/MIME needs to be tied to issuance policy. The new validation categories matter because they define how much confidence a certificate actually carries. If mailbox, organisation, sponsor, and individual validation are treated as interchangeable, the assurance model collapses into process theatre. Practitioners should align issuance controls to the identity level the certificate is meant to represent.
Legacy root distrust will surface hidden operational debt across email and service trust. Mozilla’s move reflects a broader shift toward cryptographic agility and policy alignment. Organisations that cannot see where old roots still anchor production trust will experience breakage at the worst possible time. Practitioners should inventory root dependencies before browser policy becomes an outage driver.
What this signals
Certificate governance is converging with identity governance. As certificate lifetimes shrink, the controls that matter most are inventory accuracy, renewal automation, and revocation assurance. That is the same operating logic that governs secrets, workload identities, and other non-human credentials, so teams should expect certificate work to be absorbed into broader identity lifecycle programmes.
Legacy trust chains will become a hidden resilience issue. Organisations that still depend on old roots or manual exceptions will find that browser policy changes expose technical debt faster than planned remediation cycles. The practical response is to map trust dependencies now and treat root age as a resilience metric, not a background detail.
Short-lived certificates reward continuous control, not periodic review. The shift away from long validity periods increases the value of automated discovery and exception management across identity-linked assets. Teams should use the change to tighten their certificate lifecycle model, then carry the same discipline into secrets and workload identity governance.
For practitioners
- Automate certificate discovery and renewal Replace spreadsheet tracking with continuous discovery, expiration monitoring, and automated renewal workflows for S/MIME and TLS certificates. Focus first on certificates that support customer-facing services, internal trust chains, and mailbox security.
- Map certificate trust chains to root policy age Identify which certificates chain to legacy roots and which systems still trust those hierarchies. Prioritise remediation for roots that are already outside current browser or policy expectations.
- Align S/MIME issuance to identity assurance level Use different validation controls for mailbox, organisation, sponsor, and individual certificates instead of one generic approval path. Tie certificate class to the identity proofing evidence required for that class.
- Build revocation testing into change management Test whether revoked or reissued certificates are actually removed from trust paths in email, browser, and service environments. Include revocation checking in routine change windows so broken trust is found before production use.
Key takeaways
- PKI policy is tightening, and manual certificate tracking is no longer a defensible operating model.
- Shorter lifetimes and older-root distrust turn certificate inventory, renewal, and revocation into core governance controls.
- Teams that automate certificate lifecycle management will adapt faster and reduce trust disruption across email and web services.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Certificate validation and trust-chain control support authentication and access assurance. |
| NIST SP 800-53 Rev 5 | IA-5 | IA-5 governs authenticator lifecycle, including certificates used for trust and access. |
| CIS Controls v8 | CIS-5 , Account Management | Certificate ownership and renewal depend on accurate account and asset lifecycle tracking. |
| ISO/IEC 27001:2022 | A.8.2 | Certificate inventory and lifecycle handling fit information asset management expectations. |
| GDPR | Art.32 | S/MIME validation can involve personal data and secure processing obligations. |
Map certificate issuance and renewal to PR.AC-1 and automate trust verification across environments.
Key terms
- Certificate Lifecycle Management: The process of tracking, issuing, renewing, rotating, and revoking certificates across their full life. In mature environments it is automated, monitored, and tied to service ownership so trust does not depend on manual spreadsheets or ad hoc reminders.
- S/MIME: A certificate-based email security standard that uses digital signatures and encryption to protect message integrity and confidentiality. It also supports identity assurance by linking a message to the certificate holder's validated mailbox or organisational control.
- Root Trust Store: The set of trusted certificate authorities a browser or operating system accepts as valid signers. When root trust policies change, any certificate chain depending on older or untrusted roots can break or lose assurance, creating operational and security impact.
- Cryptographic agility: The ability to change cryptographic algorithms, key lengths, or trust models without reworking every application. For machine identities, it reduces the risk that long-lived services will fail when standards shift or when post-quantum migration becomes necessary.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- A closer breakdown of the S/MIME validation categories and what each requires in practice.
- The policy timeline for 90-day certificate validity and how it could affect renewal planning.
- Mozilla's root distrust schedule and the implications for legacy trust-chain remediation.
- The article's automation angle for teams still managing certificates manually.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and identity lifecycle controls that complement certificate governance. It is suited to practitioners aligning identity assurance with broader security operations.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org